diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/man/SSL_CTX_set_options.3 | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3 index 98c1a6d365..f7445ad7c4 100644 --- a/src/lib/libssl/man/SSL_CTX_set_options.3 +++ b/src/lib/libssl/man/SSL_CTX_set_options.3 | |||
| @@ -1,5 +1,6 @@ | |||
| 1 | .\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2017/08/19 23:45:10 schwarze Exp $ | 1 | .\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2018/02/27 17:08:20 schwarze Exp $ |
| 2 | .\" OpenSSL 361a1191 Dec 6 17:56:41 2015 +0100 | 2 | .\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100 |
| 3 | .\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000 | ||
| 3 | .\" | 4 | .\" |
| 4 | .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>, | 5 | .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>, |
| 5 | .\" Bodo Moeller <bodo@openssl.org>, and | 6 | .\" Bodo Moeller <bodo@openssl.org>, and |
| @@ -51,7 +52,7 @@ | |||
| 51 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 52 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 52 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. | 53 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. |
| 53 | .\" | 54 | .\" |
| 54 | .Dd $Mdocdate: August 19 2017 $ | 55 | .Dd $Mdocdate: February 27 2018 $ |
| 55 | .Dt SSL_CTX_SET_OPTIONS 3 | 56 | .Dt SSL_CTX_SET_OPTIONS 3 |
| 56 | .Os | 57 | .Os |
| 57 | .Sh NAME | 58 | .Sh NAME |
| @@ -154,12 +155,9 @@ Disables a countermeasure against a TLS 1.0 protocol vulnerability | |||
| 154 | affecting CBC ciphers, which cannot be handled by some broken SSL | 155 | affecting CBC ciphers, which cannot be handled by some broken SSL |
| 155 | implementations. | 156 | implementations. |
| 156 | This option has no effect for connections using other ciphers. | 157 | This option has no effect for connections using other ciphers. |
| 157 | .It Dv SSL_OP_TLSEXT_PADDING | ||
| 158 | Adds a padding extension to ensure the ClientHello size is never between 256 | ||
| 159 | and 511 bytes in length. | ||
| 160 | This is needed as a workaround for some implementations. | ||
| 161 | .It Dv SSL_OP_ALL | 158 | .It Dv SSL_OP_ALL |
| 162 | All of the above bug workarounds. | 159 | This is currently an alias for |
| 160 | .Dv SSL_OP_LEGACY_SERVER_CONNECT . | ||
| 163 | .El | 161 | .El |
| 164 | .Pp | 162 | .Pp |
| 165 | It is usually safe to use | 163 | It is usually safe to use |
| @@ -237,7 +235,8 @@ and no longer have any effect: | |||
| 237 | .Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG , | 235 | .Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG , |
| 238 | .Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG , | 236 | .Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG , |
| 239 | .Dv SSL_OP_TLS_BLOCK_PADDING_BUG , | 237 | .Dv SSL_OP_TLS_BLOCK_PADDING_BUG , |
| 240 | .Dv SSL_OP_TLS_D5_BUG . | 238 | .Dv SSL_OP_TLS_D5_BUG , |
| 239 | .Dv SSL_OP_TLSEXT_PADDING . | ||
| 241 | .Sh SECURE RENEGOTIATION | 240 | .Sh SECURE RENEGOTIATION |
| 242 | OpenSSL 0.9.8m and later always attempts to use secure renegotiation as | 241 | OpenSSL 0.9.8m and later always attempts to use secure renegotiation as |
| 243 | described in RFC5746. | 242 | described in RFC5746. |
| @@ -268,9 +267,8 @@ alert is sent. | |||
| 268 | This is because the server code may be unaware of the unpatched nature of the | 267 | This is because the server code may be unaware of the unpatched nature of the |
| 269 | client. | 268 | client. |
| 270 | .Pp | 269 | .Pp |
| 271 | .Em N.B.: | 270 | Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which |
| 272 | a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will | 271 | are unpatched) will result in the connection hanging if it receives a |
| 273 | result in the connection hanging if it receives a | ||
| 274 | .Em no_renegotiation | 272 | .Em no_renegotiation |
| 275 | alert. | 273 | alert. |
| 276 | OpenSSL versions 0.9.8m and later will regard a | 274 | OpenSSL versions 0.9.8m and later will regard a |